Staff at the Korea Internet and Security Agency in Seoul, South Korea monitor possible ransomware cyberattacks in May 2017.
(Yun Dong-jin/Yonhap via AP)

Ransomware like Bad Rabbit is big business

Michael J. Armstrong, Teju Herath, Brock University

October 25, 2017 6.48pm EDT

October is Cybersecurity Awareness month, which is being observed in the United States, Europe, and elsewhere around the world. Ironically, it began with updates about a large-scale hack, and is ending with a large-scale ransomware outbreak.

Internet firm Yahoo kicked things off on Oct. 3 when it admitted that hackers in 2013 had accessed information about all three billion of its user accounts, not “just” the one billion first reported.

Ransomware “Bad Rabbit” is providing the finale with attacks that began Oct. 24. So far, the outbreak is mostly affecting business computers in Russia.

Your money or your data

Traditional criminal hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then look for customers, such as other criminals, to buy that data.

In contrast, ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.

Growing scale and sophistication

Much like legitimate firms, some ransomware charges lower “prices” but targets larger volumes. Bad Rabbit demands only a few hundred dollars to decrypt each computer. But it is affecting machines across Russia.

An IBM survey found that almost half of businesses suffered ransomware attacks in 2016. Some 70 per cent of those paid a ransom to regain their data.

The survey also indicates small businesses are particularly vulnerable. They often lack the computer expertise to defend themselves. Only 30 per cent provided cybersecurity training to employees, compared to 58 per cent within larger companies.

Ransomware’s sophistication is growing too. Ransomware “worms” like ZCryptor spread themselves across networks, rather than riding on infected emails.

Some ransomware specialists are selling their services to organized crime. This crime-as-a-service business model allows criminals to outsource their technology needs. User-friendly ransomware “kits” can be purchased for $175.

A specialist works at the U.S. National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va. in Sept. 2014. (AP Photo/Manuel Balce Ceneta)

Future possibilities

These cyber-privateers could plunder commerce abroad, without the host country’s direct involvement or accountability. Think of regional rivals like North and South Korea, or major powers like the U.S., Russia and China.

Sound far-fetched? Russian security services have already been accused of working with organized crime on cyberattacks. The Russian government denies any involvement. But its president, Vladimir Putin, did suggest independent “patriotic hackers” may have tampered with the U.S. election process.

How about virtual protection rackets? Instead of one-time payments for decryption, users might be “convinced” to pay ongoing fees for the “service” of avoiding encryption.

Or instead of hiding virtual data, ransomware could shut down physical objects. The Internet of Things is exposing new targets. Control systems for factories, utilities and our homes are increasingly online.

Corporate and government action

Software makers should do more to facilitate safe computing practices. For example, it’s great that Windows now has self-updating antivirus protection. Unfortunately, it’s still awkward to back-up data onto removable drives.

Business insurers could also play a role. They might require corporate computers to be updated and backed-up to qualify for coverage.

Finally, firms might consider keeping key systems disconnected from the internet, as some military computers have always been. Just because anything can be online, it doesn’t mean everything should be.

The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.